При настройке Dovecot 2.4 в Debian 13, столкнулся с невозможностью войти в аккаунт, при использовании классической связки MariaDB+Postfix+Dovecot, вход через Thunderbird. В логах следующее:
Oct 28 11:39:08 MAIL.MYDOMAIN.COM systemd[1]: Starting dovecot.service - Dovecot IMAP/POP3 email server...
Oct 28 11:39:08 MAIL.MYDOMAIN.COM dovecot[20423]: master: Dovecot v2.4.1-4 (7d8c0e5759) starting up for imap, pop3, lmtp (core dumps disabled)
Oct 28 11:39:08 MAIL.MYDOMAIN.COM systemd[1]: Started dovecot.service - Dovecot IMAP/POP3 email server.
Oct 28 11:39:51 MAIL.MYDOMAIN.COM dovecot[20426]: imap-login: Login aborted: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::ssl/tls alert bad certificate: SSL alert number 42 (disconnected during TLS handshake) (tls_handshake_not_finished): user=<>, rip=87.120.222.33, lip=MY_VPS_IP, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::ssl/tls alert bad certificate: SSL alert number 42, session=<vzBEeTZC6uhXeN4h>
Oct 28 11:39:51 MAIL.MYDOMAIN.COM dovecot[20426]: imap-login: Login aborted: Logged out (no auth attempts in 1 secs) (no_auth_attempts): user=<>, rip=78.159.131.103, lip=MY_VPS_IP, TLS, session=<x99CeTZCIONOn4Nn>
Oct 28 11:39:54 MAIL.MYDOMAIN.COM dovecot[20426]: pop3-login: Login aborted: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::ssl/tls alert bad certificate: SSL alert number 42 (disconnected during TLS handshake) (tls_handshake_not_finished): user=<>, rip=94.156.152.8, lip=MY_VPS_IP, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::ssl/tls alert bad certificate: SSL alert number 42, session=<IBFYeTZCurRenJgI>
Oct 28 11:39:57 MAIL.MYDOMAIN.COM dovecot[20426]: pop3-login: Login aborted: Logged out (no auth attempts in 6 secs) (no_auth_attempts): user=<>, rip=165.73.242.163, lip=MY_VPS_IP, TLS, session=<oe9ZeTZC7r+lSfKj>
Oct 28 11:40:09 MAIL.MYDOMAIN.COM unix_chkpwd[20448]: check pass; user unknown
Oct 28 11:40:09 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): check pass; user unknown
Oct 28 11:40:09 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=riniko rhost=93.94.51.243
Oct 28 11:40:18 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): check pass; user unknown
Oct 28 11:40:18 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=riniko rhost=93.94.51.243
Oct 28 11:40:26 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): check pass; user unknown
Oct 28 11:40:26 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=riniko rhost=93.94.51.243
Oct 28 11:40:30 MAIL.MYDOMAIN.COM dovecot[20426]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 21 secs) (auth_failed): user=<riniko>, method=PLAIN, rip=93.94.51.243, lip=MY_VPS_IP, TLS, session=<tzhjejZCishdXjPz>
Oct 28 11:40:30 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): check pass; user unknown
Oct 28 11:40:30 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=riniko@MYDOMAIN.COM rhost=93.94.51.243
Oct 28 11:40:38 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): check pass; user unknown
Oct 28 11:40:38 MAIL.MYDOMAIN.COM auth[20446]: pam_unix(dovecot:auth): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=riniko@MYDOMAIN.COM rhost=93.94.51.243
По шагам распишу что делаю. Во первых, сертификаты для MAIL.MYDOMAIN.COM существуют. В файле /etc/postfix/main.cf они указаны:
smtpd_tls_cert_file=/etc/letsencrypt/live/MAIL.MYDOMAIN.COM/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/MAIL.MYDOMAIN.COM/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
Теперь, изменения которые были внесены в Dovecot в версии 2.4. Файл /etc/dovecot/conf.d/10-mail.conf:
mail_driver = maildir
mail_home = /var/mail/vhost/%{user|domain}/%{user|username}
mail_path = %{home}/Maildir
mail_inbox_path = /var/mail/vhost/%{user}
В версии 2.3 было:
mail_location = maildir:/var/mail/vhosts/%d/%n/
Параметры аналогичные в обоих конфигурациях:
mail_privileged_group = mail
namespace inbox {
inbox = yes
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Archive {
auto = subscribe
special_use = \Archive
}
}
Каталог /var/mail/vhosts/DOMAINNAME.COM создан. Добавлены права:
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail
chown -R vmail:vmail /var/mail
В файле /etc/dovecot/conf.d/10-auth.conf
В версии 2.4:
auth_allow_cleartext = no
auth_mechanisms = plain login
!include auth-system.conf.ext
!include auth-sql.conf.ext
В версии 2.3:
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-sql.conf.ext
В версии 2.3, был файл /etc/dovecot/dovecot-sql.conf.ext
В котором было следующее:
driver = mysql
connect = host=127.0.0.1 dbname=mailserver user=mailuser password=PASSWORD
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
А в файле /etc/dovecot/conf.d/auth-sql.conf.ext версии 2.3 было:
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
В версии 2.4, содержимое файла /etc/dovecot/dovecot-sql.conf.ext перенёс в /etc/dovecot/conf.d/auth-sql.conf.ext:
sql_driver = mysql
mysql 127.0.0.1 {
user = mailuser
password = PASSWORD
dbname = mailserver
}
passdb sql {
query = SELECT password, email AS user FROM virtual_users WHERE email='%{user}'
}
В файле /etc/dovecot/conf.d/10-master.conf в версии 2.3:
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
#group =
}
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
В версии 2.4 аналогично, но небольшие изменения тут:
service submission-login {
inet_listener submission {
#port = 587
}
inet_listener submissions {
#port = 465
}
}
В файле /etc/dovecot/conf.d/10-ssl.conf версии 2.4 указал:
ssl = required
ssl_server_cert_file = /etc/letsencrypt/live/MAIL.MYDOMAIN.COM/fullchain.pem
ssl_server_key_file = /etc/letsencrypt/live/MAIL.MYDOMAIN.COM/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_server_dh_file = /etc/dovecot/dh.pem
В версии 2.3:
ssl = required
ssl_cert = </etc/letsencrypt/live/MAIL.MYDOMAIN.COM/fullchain.pem
ssl_key = </etc/letsencrypt/live/MAIL.MYDOMAIN.COM/privkey.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
Ключ DH в /etc/dovecot/dh.pem создан.
Подскажите пожалуйста, что я делаю не правильно?